The New York Times reported on May 13 that U.S. companies showed up in force at the International Data Protection Day conference that day in Berlin. The Times article also mentioned the presence of Hogan Lovells at the conference. In addition to the heightened interest in data protection evidenced by U.S. business that is described in the NY Times, the Berlin conference showcased the continued sparring between the EU and the U.S. on the adequacy of U.S. privacy laws and also provided a comprehensive update on data protection developments worldwide. The topics for the day began with the proposed EU data protection regulation and ended with U.S. privacy and security enforcement, with numerous developments in other countries sandwiched in between. Continue Reading
For the second year in a row, corporate directors and general counsel have ranked cybersecurity as a top-of-mind concern. On May 8, Corporate Board Member and FTI Consulting released the results of their 2013 Law in the Boardroom survey of over 550 directors and general counsel. As the report notes, “the newest area of major concern continues a trend noted in last year’s study: data security and IT risk is one of the most significant issues for both directors and general counsel.” Hogan Lovells partner Harriet Pearson explained why cybersecurity has become a top-of-mind concern as part of her article on “Cybersecurity: the Corporate Counsel’s Agenda,” which presented a ten-point agenda for managing cyber risk.
The survey found that data security was a close second for both directors and general counsel on the list of issues that will keep them up at night. And more than a quarter of all respondents ranked cyber risk oversight as an area that will require their attention in 2013. These results are unsurprising given the past year’s heightened congressional and executive scrutiny on cybersecurity issues (e.g., congressional hearings on cybersecurity and NIST’s development of a Cybersecurity Framework), coupled with increasing media coverage of cybersecurity incidents such as this report on a coordinated “cyberheist” that stole $45 million from 2,904 ATMs in a matter of hours.
Less than two weeks after providing additional guidance on the recent changes to the Children’s Online Privacy Protection Act (“COPPA”) Rule, in the form of updated Frequently Asked Questions, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 effective date for the changes to the COPPA Rule. The Commission’s vote came in response to a letter from representatives of a number of trade associations and industry groups, including the Internet Association, the Interactive Advertising Bureau, the U.S. Chamber of Commerce, and the Application Developers Alliance. The letter asked the FTC to delay the compliance date for the changes to the COPPA Rule for six months – which would have made the new compliance date January 1, 2014 – in order to give businesses more time to comply with the revised rule’s new requirements. Continue Reading
On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive.
The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.
On April 23, the French data protection authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), published its annual report for 2012, emphasizing a significant increase in complaints, audits, and sanctions. We review each of these topics addressed by the CNIL’s report. Continue Reading
On April 25, Hogan Lovells partner Harriet Pearson testified before the US House of Representatives on the relationship between cybersecurity and privacy in business. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security held a hearing on “Striking the Right Balance: Protecting our Nation’s Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties” to examine existing privacy protections and learn more about potential improvements. In her testimony, Pearson summarized the challenge:
The relationship between cybersecurity and privacy is complex. On the one hand, cybersecurity that protects data from intrusion, theft, and misuse obviously is a significant privacy safeguard. On the other hand, cybersecurity measures that monitor access and use can implicate the collection of personal information (or data that can be linked to individuals), and thus raises privacy concerns.
With cybersecurity now ranked as the top concern for general counsel and corporate board members, and with the regulatory and legislative landscape so active (e.g., the House’s passage of CISPA and the President’s Executive Order), Hogan Lovells is proud to be a sponsor of the inaugural Cybersecurity Law Institute, to be held at the Georgetown University Law Center in Washington, DC, on May 22–23, 2013.
Hogan Lovells partner Harriet Pearson, a co-chair of the Institute’s Advisory Board, said that “cybersecurity legal risks and issues are high-stakes, emerging, and complex. That’s why this inaugural program is so needed—to help build the legal community’s practical know-how and skills to advise on what has rapidly become one of the top enterprise risks in almost all industries.” She continued, “It’s not only the high-profile speakers, such as Deputy Attorney General James Cole, that will distinguish this event. Institute participants will take home practical insights gleaned from the program’s fast-paced and realistic simulations of lawyers, business leaders, law enforcement officials, and technologists working together to handle the kinds of cyber attacks increasingly common across industries.”
Hogan Lovells Privacy partner Christopher Wolf presented the conflict between anonymity and curtailing online hate speech in a recent post on the blog of the International Association of Privacy Professionals, Privacy Perspectives. The post references Chris’ forthcoming book Viral Hate: Containing its Spread on the Internet which he co-authored with Anti-Defamation League National Director Abraham Foxman, and explains that in certain cases a real-name policy by online intermediaries is appropriate.
To access the full blog post on Privacy Perspectives, click here.
On April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, which would enable companies to share information about cyber threats while benefiting from certain liability protections. The bill passed despite a White House threat earlier this week to veto the bill. The vote was 288-127, with 196 Republicans and 92 Democrats in favor, and 29 Republicans and 98 Democrats opposed—and thus the House vote would be sufficient to override any presidential veto.
Reps. Rogers (R-Mich.) and Ruppersberger (D-Md.) introduced CISPA again this year shortly after the President issued his Executive Order on “Improving Critical Infrastructure Cybersecurity” (which we covered previously). A similar version of the bill passed the House in 2012, but stalled in the Senate. And the White House similarly threatened to veto the bill last year.
In Bloomberg BNA’s Privacy and Security Law Report, Hogan Lovells attorneys Des Hogan, Michelle Kisloff, and Christopher Wolf have published an article describing the higher-risk litigation and enforcement environment in which companies in the United States now operate. After analyzing recent class actions and regulatory developments, the article offers guidance on how companies can reduce their financial and reputational exposure.
Click here to read the article. James Denvil, an associate in our Washington office, contributed to the article.